[Openid-specs-mobile-profile] Issue #50: Authenticate RP to Old OP during porting (openid/mobile)

Fri Oct 7 06:59:30 UTC 2016

https://id.cto.telstra.com/2016/openid/draft-account-porting.html

I have updated the Account Porting draft to authenticate RPs to the Old OP; resolving issues #49 and #50.
Comments welcome.

The approach uses OAuth so there is an additional request to swap a client_id/client_secret for an access_token before calling the Porting check API. This has its cons: an extra request; reuses the RP's client_id/client_secret for interactive logins (code flow; acting on user's behalf), and backend API access (client cred flow; acting on RP's behalf).

Other changes:
* Dropped the unencrypted port token option, which was a simplification if public (non-pairwise) Subject ids were used.
* Added text to the "Encrypting port_token" section about nonces; also moved the section.
* Dropped the sector_id query parameter from the Porting check API
* Explicitly listed half-a-dozen checks the Old OP MUST do for the Porting check to be secure

The new version is in the repo draft-account-porting.{xml|html|eg.png|eg.uml} https://bitbucket.org/openid/mobile/src and on my website https://id.cto.telstra.com/2016/openid/draft-account-porting.html.

To do:
* Add "move" vs "link" support
* Proper example values
* Describe which parts concern RPs, New OPs, and Old OPs
* Privacy considerations (porting lets another OP see all your logins; interesting corner-cases if Old or New OP uses pairwise subs while the other uses public subs)
* Check security considerations (haven't been touched from earlier proposal that was quite a different mechanism)
* Demo implementation

--
James Manger

-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of James Manger
Sent: Wednesday, 5 October 2016 2:55 PM
To: openid-specs-mobile-profile at lists.openid.net
Subject: [Openid-specs-mobile-profile] Issue #50: Authenticate RP to Old OP during porting (openid/mobile)

New issue 50: Authenticate RP to Old OP during porting https://bitbucket.org/openid/mobile/issues/50/authenticate-rp-to-old-op-during-porting

James Manger:

draft-account-porting-01 assumes an encrypted port_token is basically a bearer token allowing the RP to call the Old OP to complete the porting flow without further authentication.

The Old OP is effectively leveraging the authentication of the RP by the New OP. This is awkward when the Old OP and New OP don't identify RPs in exactly the same way. Old & New OPs will have separate client_ids for a given RP so that doesn't help. Old & New OPs should both understand the same sector_id for an RP. However, sector_ids might not be properly implemented everywhere. In particular, an OP that issues public subject ids doesn't uses sector_ids.

See [email thread](http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20160926/000598.html).

Responsible: james_manger_telstra
_______________________________________________
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile